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Abstract — The resilience of Supervisory Control and Data 
Acquisition (SCADA) systems for electric power networks for 
certain cyber-attacks is considered. We analyze the vulnerability 
of the measurement system to false data attack on communicated 
measurements. The vulnerability analysis problem is shown to be 
NP-hard, meaning that unless P = NP there is no polynomial time 
algorithm to analyze the vulnerability of the system. Nevertheless, 
we identify situations, such as the full measurement case, where 
it can be solved efficiently. In such cases, we show indeed that 
the problem can be cast as a generalization of the minimum cut 
problem involving costly nodes. We further show that it can be 
reformulated as a standard minimum cut problem (without costly 
nodes) on a modified graph of proportional size. An important 
consequence of this result is that our approach provides the 
first exact efficient algorithm for the vulnerability analysis 
problem under the full measurement assumption. Furthermore, 
our approach also provides an efficient heuristic algorithm for 
the general NP-hard problem. Our results are illustrated by 
numerical studies on benchmark systems including the IEEE 
118-bus system. 



I. Introduction 

Our society depends heavily on the proper operation of 
cyber-physical systems, examples of which include, but not 
limited to, intelligent transport systems, industrial automation 
systems, health care systems, and electric power distribution 
and transmission systems. These cyber-physical systems are 
supervised and controlled through Supervisory Control And 
Data Acquisition (SCADA) systems. Through remote terminal 
units (RTUs), SCADA systems collect measurements and send 
them to the state estimator to estimate the system states. The 
estimated states are used for subsequent operations such as 
system health monitoring and control. Any malfunctioning of 
these operations can lead to significant social and economical 
consequences such as the northeast US blackout of 2003 Q. 

The technology and the use of the SCADA systems have 
evolved a lot since they were introduced. The SCADA systems 
now are interconnected to office LANs, and through them 
they are connected to the Internet. Hence, today there are 
more access points to the SCADA systems, and also more 
functionalities to tamper with. For example, the RTUs can 
be subjected to denial-of- service attacks. The communicated 
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data can be subjected to false data attacks. Furthermore, the 
SCADA master itself can be attacked. In the context of secured 
cyber-physical systems in general, EJ, lO have considered 
denial-of- service-like attacks and their impact. EJ has studied 
replay attacks on the sensor measurements and O, [jS] have 
considered false data attacks. This paper investigates the cyber 
security issues related to false data attacks with the special 
focus on the measurement systems of power networks. The 
negative effects of false data attacks on power networks have 
been exemplified by malware such as Stuxnet and Duqu. 
False data attacks have received a lot of attention in the 
literature (e.g., [r7l- [[T4l ). ||71 was the first to point out that a 
coordinated intentional data attack can be staged without being 
detected by the state estimation bad data detection (BDD) 
algorithm, a standard part of today's SCAD A/EMS system. 
Q-El. IHl-O investigate the construction problem for 
such "unobservable" data attack, especially the sparse ones 
involving relatively few meters to compromise, under various 
assumptions of the network (e.g., DC power flow model [ITSl . 
[16]). In particular, ||7l poses the attack construction problem 
as a cardinality minimization problem to find the sparsest 
attack including a given set of target measurements. Refer- 
ences m, ||9l, |[T2l set up similar optimization problems for 
the sparsest attack including a given measurement. References 
ifTTl . |[T4ll seek the sparsest nonzero attack and [|T3l finds the 
sparsest attack including exactly two injection measurements 
and possibly more line power flow measurements, under the 
assumption that all power injections are measured. The solu- 
tion information of the above optimization problems can help 
network operators identify the vulnerabilities in the network 
and strategically assign protection resources (e.g., encryption 
of measurements and secured PMUs) to their best effect (e.g., 
191 , ifTOl . O). On the other hand, the unobservable data attack 
problem has its connection to another vital EMS functionality 
- observability analysis ifTSl . llT6l . In particular, solving the 
attack construction problem can also solve an observability 
analysis problem (this was explained in [TtI Section II-C]). 
This connection was first reported in [fTTI . and was utilized in 
1 18| to compute the sparsest critical /7-tuples for some integer 
p. This is a generalization of critical measurements and critical 
sets [15]. 

To perform the cyber- security analysis in a timely manner, 
it is important to solve the data attack construction problem 
efficiently. This effort has been discussed, for instance, in 
Q-lEl, ini-lllll, lEl. The efficient solution to the attack 
construction problem in ||8l is the focus of this paper. The 
matching pursuit method llT9l employed in |7| and the basis 
pursuit method ll20l (/i relaxation and its weighted variant) 
employed in |[T4l are common efficient (i.e., polynomial time) 
approaches to suboptimally solve the attack construction prob- 



lem. However, these methods do not guarantee exact optimal 
solutions, and they might not be sufficiently accurate. For 
instance, lfT2ll describes a naive application of basis pursuit and 
its consequences. While ifTTIl . UlAj provide polynomial time 
solution procedures for their respective attack construction 
problems, the problems therein are different from the one in 
this paper in that the considered problem in this paper is not a 
special case of the ones in ifTTIl . |[T4l . In particular, in [[TTI the 
attack vector contains at least one nonzero entry. However, this 
nonzero entry cannot be given a priori. This means that the 
problem considered in this paper is more general than the one 
in IfTTIl . {lAi needs to restrict the number of nonzero injection 
measurements attacked, while there is no such constraint in 
the problem considered in this paper. 

Other relevant previous work include llT2l . lITTl . lITSl . which 
also consider the data attack construction problem in this 
paper. In |[T2l . lITSl the attack construction problem is for- 
mulated as a graph generalized minimum cut problem (to be 
defined in Section HV-CI) . However, it is not known in |[T2l . 
ifTSl whether the generalized minimum cut problem can be 
solved efficiently (i.e., in polynomial time) or not. Indeed, O, 
ifTSl only provide approximate solutions. Instead, the current 
work establishes that the generalized minimum cut problem 
is indeed exactly solvable in polynomial time. This work 
establishes the result by constructing a practical polynomial 
time algorithm. Regarding ifTTl . one of the main distinctions 
is that ifTvl makes an assumption that no bus injections are 
metered. The current result requires a different assumption 
that the network is fully measured as in llT3l (i.e., all bus 
injections and line power flows are metered). In addition, ifTTl 
considers a more general case where the constraint matrix is 
totally unimodular, whereas the focus of the current paper is a 
graph problem. The setup considered by this paper is specific 
to power network applications and thus it enables a more 
efficient solution algorithm. Finally, note that the notion of 
minimum cut problem has been explored also in other power 
network applications (e.g., ll2T1l - ll23l ). 

Outline: In the next section, we present the optimization 
problem of interest, namely the security index problem, and 
discuss its applications. Then Sections [nil HYl and [Vl present 
the technical contributions of this paper, focusing on a spe- 
cialized version of the security index problem defined in dS) 
in the end of Section HFbI In Section [Till the complexity of the 
security index problem is analyzed. We show that the security 
index problem is NP-hard in general, but in Section |IV] we 
demonstrate that under some realistic assumptions it can be 
restated as a generalized minimum cut (Min Cut) problem. 
In Section IVl we show that the generalized Min Cut problem 
can be solved efficiently, by reformulating it as a classical 
Min Cut problem. The specialized version considered in 
Sections [Till |IVl and [Vl turns out to be not restrictive, as far as 
the application of the proposed results is concerned. This will 
be explained in Section [Vll In Section IVIII a simple numerical 
example is first presented to illustrate that the proposed solu- 
tion correctly solves the generalized Min Cut problem, while 
previous methods cannot. Then the efficiency and accuracy 
of the proposed solution to the security index problem are 
demonstrated through a case study with large-scale benchmark 



systems. We also demonstrate that our method provides an 
efficient and high quality approximate solution to the general 
problem security index problem which is NP-hard. 

II. The Security Index Problem 

In Section III-AI the mathematical model of the power 
networks considered is first described. Then in Section III-BI 
the security index of power networks is defined. 

A. Power Network Model and State Estimation 

A power network is modeled as a graph with n + 1 nodes 
and m edges. The nodes and edges model the buses and 
transmission lines in the power network, respectively. In the 
present text, the terms node and bus are used interchangeably, 
and the same is true for edges and transmission lines (or simply 
lines). The topology of the graph is described by a directed 
incidence matrix A G in which the directions along 

the edges are arbitrarily specified lfT2l . The physical property 
of the network is described by a nonsingular diagonal matrix 
D G W^^^, whose nonzero entries are the reciprocals of the 
reactance of the transmission lines. In general, the reactance 
is positive (i.e., inductive) and hence the matrix D is assumed 
to be positive definite throughout this paper. 

In the sequel, the set of all nodes and the set of all directed 
edges of the power network graph are denoted and E^, 
respectively. The edge directions are consistent with those in 
A. An element of is denoted by Vi G V^, and an element 
of E^ is denoted by (v,-, v^) G E^ for v,- G and v^- G V^. The 
set of all neighbors of v/ is denoted by N{vi). A node vj is a 
neighbor of v/ if either (v/,Vj) G E^ or (vj,v/) G E^. 

The states of the network include bus voltage phase angles 
and bus voltage magnitudes, the latter of which are typically 
assumed to be constant (one in the per unit system). Therefore, 
the network states can be captured in a vector 6 G [0^271^^^. 
The state estimator estimates based on the measurements 
obtained from the network. In reality the model relating 
the states and the measurements is nonlinear. However, for 
state estimation data attack analysis Q-O, ifTTl (and more 
traditionally bad data analysis ifTSll . |[T6l . ll24l ) it suffices to 
consider the DC power flow model lITSl . |[T6l . In the DC power 
flow model the measurement vector, denoted as z, is related 
to e by 

" PiDA^ ' 
-P2DA^ 
P^ADA^ 

In ([T]), Az can either be a vector of random error or intentional 
additive data attack (e.g., |7|), and P\, P2 and consist of 
subsets of rows of identity matrices of appropriate dimensions, 
indicating which measurements are actually taken. The term 
PiDA^O contains line power flow measurements, measured at 
the outgoing ends of the lines. Similarly, —P2DA^0 contains 
the line power flow measurements at the incoming ends of 
the lines. The term P^ADA^ 6 contains bus power injection 
measurements, one entry for each measured bus. 

Measurement redundancy is a common practice in power 
networks ifTSll , lfT6l . Therefore, it is assumed in this paper 



z = He^Az, where H 



(1) 



that the measurement system described by H is observable - 
meaning that if any column of H is removed the remaining 
submatrix still has rank n ifTSl . lfT6l . Note that H cannot have 
rank ^ + 1 since the sum of all columns of H is always a 
zero column vector (a property of any incidence matrix A). In 
the practice of power system state estimation, it is customary 
to designate an arbitrary node as the reference and set the 
corresponding entry of to zero. Without loss of generality, 
it is assumed that the first entry of is zero (i.e., 0(1) =0) 
and denote 02: as the rest of the entries of Q. For convenience, 
let H2: denote H with the first column removed. By definition, 
HQ = //2:02: and H2: has full column rank (= n) since H is 
observable. Given measurements z, the estimate of the network 
states is typically determined via the least squares approach 
Ca, Id: 



02: = {H2:WH2:) H2.'Wz, 



(2) 



where is a given positive-definite diagonal matrix, whose 
nonzero entries are typically the reciprocals of the variances of 
the measurement noise. The state estimate = [O Oj] is 
subsequently fed to other vital SCADA functionalities such 
as optimal power flow (OPF) calculation and contingency 
analysis (CA). Therefore, the accuracy and reliability of Q 
is of paramount concern. 

B. Security Index 

To detect possible faults or data attacks in the measurements 
z, the BDD test is commonly performed ( ifTSll , |[T6l ). In a 
typical strategy, if the norm of the residual 

residual = Z-//2: ^2 = (/-i^2:(^2:^W^2:)"^^2:^^)Az (3) 

is too big, then the BDD alarm is triggered. The BDD test is in 
general sufficient to detect the presence of a random error Az 
ifTSl . |[T6l . However, in face of a coordinated malicious attack 
the BDD test can fail. In particular, in fT\ it was reported that 
an attack of the form 



(4) 



for an arbitrary A0 G R"+^ would result in a zero residual in © 
since HAQ = H2AQ2: for some A02: ^ I^''. Data attack in the 
form of dl]) is unobservable from the BDD perspective, and this 
was also experimentally verified in [|25l in a realistic SCADA 
system testbed. Since Q, there has been a significant amount 
of literature studying the unobservable attack in (|4} and its 
consequences to state estimation data integrity (e.g., liSl- lfTTIl . 
Ca, O). In particular, [8| introduced the notion of security 
index for a measurement k as the optimal objective value 
of the following cardinality minimization problem: 

ak = min csiYdiHAO) 

a0gM"+i (5) 

subject to H{k, :)Ae = 1, 

where card(-) denotes the cardinality of its argument, k is 
the label of the measurement for which the security index 
is computed, and H{k^:) denotes the k^^ row of H. is 
the minimum number of measurements an attacker needs to 
compromise in order to attack measurement k without being 
detected. In particular, a small aj^ implies that measurement k 



is relatively easy to compromise in an unobservable attack. 
As a result, the knowledge of the security indices for all 
measurements allows the network operator to pinpoint the 
security vulnerabilities of the network, and to better protect 
the network with limited resource. For example, [9 1 proposed 
a method to optimally assign limited encryption protection 
resources to improve the security of the network based on its 
security indices. 

It should be emphasized that the security index defined 
in dl]) can provide a security assessment that the standard 
power network BDD procedure [fTSl . [fT6l might not be able 
to provide. As a concrete example lISl, consider the simple 
network whose H2 matrix is 



H2: = 





-1 




-1 








1 








1 





-1 





-1 





From (|2]), the "hat matrix" 
according to 



(6) 



Ca, CSl, denoted K is defined 



Z = H2: 62 = H2: (//2: ^ Wif 2: ) 



~^H2:^Wz = Kz. 



Assuming W 



K- 



/, the K matrix associated with H2 in Q is 

0.4 \ 
-0.2 
0.2 



/ 0.6 
0.2 
-0.2 


V 0.4 



0.2 
0.4 
-0.4 


-0.2 



-0.2 
-0.4 
0.4 


0.2 





0.6 / 



(7) 



The hat matrix K shows how the measurements z are weighted 
together to form a power flow estimate t The rows of the hat 
matrix can be used to study the measurement redundancy in 
the system ifTSl . |[T6l . Typically a large degree of redundancy 
(many non-zero entries in each row) is desirable to compensate 
for noisy or missing measurements. In (|7]l, it is seen that all 
measurements are redundant except the fourth which is called 
a critical measurement. Without the critical measurement 
observability is lost. From the hat matrix one is led to believe 
that the critical measurement is sensitive to attacks. This is 
indeed the case, but some other measurements can also be 
vulnerable to attacks. It can be shown - for example using 
the method that we develop, that the security indices a^, 
k= 1,...,5, respectively, are 2, 3, 3, 1, 2. Therefore, the 
fourth measurement (critical measurement) has security index 
one, indicating that it is indeed vulnerable to unobservable 
attacks. However, the first and the last measurements also have 
relatively small security indices. This is not obvious from K in 
d?]). Hence, we cannot rely on the hat matrix for vulnerability 
analysis of power networks. 

For ease of exposition but without loss of generality, instead 
of dU) the following version of the security index problem with 
a specialized constraint will be the focus of the parts of the 
paper where the main technical contributions are presented 
(i.e.. Sections inDIIVl and [Vl): 

minimize card (HA 6 ) 
subject to A{\,eYAe^O, 



(8) 



where ^ G {1,2, . . . ,m} is given. The restriction introduced in 
^ is that it can only enforce constraints on edge flows but 
not on node injections as directly allowed by (0). We will see 
however in Section |Vl] that all results obtained for dS) can be 
extended to the general case in (|5]). 

III. The Security Index Problem is NP-hard 

Consider a variant of (0) where k is not fixed (i.e., one 
wishes to minimize card (//AO) under the constraint that at 
least one entry of HAG is nonzero). This variant of (|5]) is 
known to be the cospark of H2: in compressed sensing ll26l . 
The cospark of H2: is the same as the spark of F, where F 
is a matrix of full row rank such that FH2 = 1261 . The 
spark of F is defined as the minimum number of columns 
of F which are linearly dependent L27 J . It is established that 
computing the spark of a general matrix F is NP-hard ll28l . 
1291 . Consequently, because of the equivalence between spark 
and cospark, unless P = NP there is no efficient algorithm 
to solve the security index problem in ^ if the H matrix is 
not assumed to retain any special structure. In power network 
applications, the H matrix in fact possesses special structure 
as defined in ([T]). Nevertheless, the security index problem, 
even the specialized version in ([5]), is still computationally 
intractable as indicated by the following statement: 

Theorem 1: Unless P = NP, there is no polynomial time 
algorithm that solves the problem (|8]), with H defined in ([T]), 
even if D is the identity matrix and ^2 = 0- 

Proof: Our proof proceeds by reduction from the positive 
one-in-three 3 SAT problem fSOl: Given a set of M triples of 
indices Cj = (aj^Pj^Yj) ^ {1, • • • does there exist a vector 
X G {0, 1}^ such that for every j, exactly one among XapX^.^Xy. 
is 1 and the others 0. 

Consider an instance of the positive one-in-three 3 SAT 
problem, and let us build an equivalent instance of (O. We 
set P2 to 0, and set D as the identity matrix. As a result, non- 
trivially zero entries of HAG corresponding to edges (/, j) will 
be of the form AGi — AGj, while those corresponding to a node 
/ will be of the form Y,j:{ij)eE{^^j ~ ^^i)- We remind that the 
entry of an edge is trivially zero if the corresponding entry in 
Pi is 0, and that of a node is trivially zero if the corresponding 
entry of is 0. 

We begin by defining a node 1 and a node connected by 
an edge whose corresponding entry in Pi is set to 1. We set 
k such that the constraint H{k/.)AG = 1 in (|5]) corresponds 
to this edge, so that their must hold A^i — A^o = 1 for any 
solution of the problem. Since HAG is not modified when 
adding a constant to all entries of AG, we assume without loss 
of generality that A^i = 1 and AGq = 0. 

The goal of the first part of our construction is to represent 
the variables. For every / = 1, . . . we define a node Xi that 
we connect to both 1 and 0. We set to 1 the entries of Pi 
corresponding to the edges (l,^;) and (0,Xi), and to the 
entries of P3 corresponding to Xi. Observe that the two entries 
of HAG corresponding to these two edges are 1 — AGx^ and 
— AGx-, which cannot be simultaneously 0. Moreover, one of 
them is equal to zero if and only if AGj. is either or 1. 

Taking into account the fact the entry of HAG corresponding 
to the edge (1,0) is by definition 1, we have thus proved that 



card(//A0) >n-\-l for any AG, independently of the rest of 
the construction. Moreover, card {HAG) =n-\-l only if AGj. G 
{0,1} for every /, and if the entries of HAG corresponding 
to all the edges and nodes introduced in the sequel are 0. 
The remainder of the construction, represented in Fig. [T] is 
designed to ensure that all these entries can be only if the 
(binary) values AGx^ solves the initial instance of the positive 
one-in-three 3 SAT problem. 

We first generate a reference value at ^ for every clause: We 
define two nodes indexed by | and ^ , and add the connections 
(1,|),(|,^),(^,0). The entries of Pi corresponding to these 
connections are set to 0, but the entry of corresponding to 
the nodes ^ and | are set to 1. Besides, we define for every 
clause j = 1,...,M a clause node cj connected to ^ by an 
edge whose corresponding entry in Pi is set to one. 

The entries of HAG corresponding to the edges between ^ 
and Cj are AGi —AGcj, which are thus zero only when AGcj = 
AGi for every j. Using these equalities, observe now that the 
entry of HAG corresponding to ^ is 

M 

AGi +Aeo+^Aec. -(2 + M)Aei =AG2 +0-2Aei, 
i=l 

while the entry corresponding to | is 1 +AO1 —2 AG 2. These 
two entries are thus equal to zero if and only if A02 = | and 
AGcj = AGi = ^ for every j, as intended. 

We now represent the clauses. For each j, we connect the 
clause node Cj to the nodes Xaj, xp. and Xyj of the three 
variables involved by edges whose corresponding entries in 
Pi are zero. On the other hand, we set to 1 the entry of 
corresponding to cj. The corresponding (non trivially zero) 
entries of HAG are then 

AGxaj^AGxp. ^AGxyj - 3AGcj AGxaj^AGx^. -^AGxy. - 1. 

Remembering that AGx^ is either 1 or for any /, this latter 
expression can be zero only if exactly one among AGxap 
AGxp. and AGxy. is 1. If that is the case, setting Xi = AGx^ for 
every / yields a vector x that solves the instance of positive 
one-in-three 3 SAT. 

We have thus shown that there exists a AG for which 
card {HAG) =n-\-l only if the AGj. are binary, and if the binary 
vector X obtained by setting Xi = AGj. solves the instance of 
positive one-in-three 3 SAT. Conversely, one can verify that if 
a binary vector x solves the instance of the one-in-three 3 SAT 
problem, then setting AGx^ = Xi for every /, AGcj = AGi = ^ 

for every j and AG 2 = | yields a cost card {HAG) =n-\-l. The 
latter cost can thus be obtained if and only if the initial positive 
one-in-three 3 SAT problem is achievable. This achieves the 
proof because our construction clearly takes an amount of 
time that grows polynomially with the size of the instance 
C, and unless P = NP there is no polynomial time algorithm 
that solves the positive one-in-three 3 SAT ll30l . 

■ 

Remark 1: ([5]) is also NP-hard since ([5]) is a special case of 



1? 




Fig. 1. Representation of a part of the construction of the proof of Theorem [T] 
including the reference values of A0 and one clause Cj. Edges are represented 
by dashed line when they are measured and continuous lines otherwise. Nodes 
are represented by squares when they are measured and circles otherwise. If 
card {H AO) =n+l, AO takes only values 1 and for the Xi and all entries 
of HAO other than those corresponding to the nodes Xi must be zero. As a 
result, a dashed edge transmits no current and enforces equality between the 
values of the nodes to which it is incident, and circle nodes enforce that the 
sum of the currents on the incident edges should be 0. These constraints can 
only be satisfied if AOcj = ^, and if exactly one of the nodes involved in each 
clause is at 1 and the others at 0. 

IV. Tractable Special Cases of the Security Index 
Problem 

In Section IIV-AI we show that, under the full measurement 
assumption, the security index problem can be solved by solv- 
ing its restriction where decision variables take binary values. 
Section ITV-B I presents the proof of the statement which implies 
our finding in Section IIV-AI Section IIV-BI also discusses the 
relationship between the security index problem and its binary 
restriction defined in Section HV- Al Section ITV-C I describes the 
consequences of Sections IIV-AI and IIV-B[ explaining how the 
security index problem can be reformulated as a generalized 
minimum cut problem with costly nodes, a graph problem 
whose efficient solution will be discussed in Section jV] 

A. The Security Index Problem Under Full Measurement 
Assumption 

Even though in general the security index problem in 
dS]) is NP-hard for H defined in ([T]), there exist interesting 
specializations that are solvable in polynomial time. One such 
case is the full measurement situation where Pi = I, P2 = I 
and P3 = 1. In |[T2ll . |[T3l the full measurement assumption 
is also considered, motivated by the situations where all 
power flows and injections are measured in future smart grid 
applications. The polynomial time complexity of ([5]) under 
the full measurement assumption can be established in three 
steps. Firstly, it can be shown that problem ^ can be solved 
by solving a restriction where the decision vector A0 is a 
binary vector. Secondly, in Section HV-CI it will be shown that 
the binary restriction of dS} can be expressed in a generalized 
Min Cut problem with costly nodes. Finally, this generalized 
Min Cut problem can be shown to be solvable in polynomial 
time. This is to be explained in Section (V] 

The first step is formalized in the following statement, 
whose preliminary version appeared in [|T2l . 

Proposition 1: Let H in ^ satisfy the full measurement 
assumption that Pi = /, P2 = L and = /. Consider the 



following restriction of problem dS} with 0-1 binary decision 
vector: 

minimize card A Q ) 

A0e{O,if+i (9) 

subject to A(:,^)^A0 7^0. 

It holds that every optimal solution of (|9]) is an optimal solution 
of ([5]) (i.e., the problem with the same formulation except that 
A0 is not restricted to binary values). 

Proof: Proposition [T] is a corollary of the more general 
Theorem [2] to be described in Section IIV-BI ■ 
Remark 2: Since there cannot be any all zero column 
in any incidence matrix A, problem dU) and dS are always 
feasible. Proposition [T] states that, under the full measurement 
assumption, an optimal solution of dSl) can always be obtained 
by solving d9]). The later problem will be shown to be solvable 
in polynomial time. 

B. The Security Index Problem with Binary Decision Vector 

In the sequel, let Cij > represent the cost of attacking 
the power flow measurements of a line (v/,Vj), and pi > 
the cost of attacking the injection measurement at bus v^. 
Problems dSJ can be reformulated in a more general way that 
also allows taking into account the fact that tempering with 
certain measurements may be more expensive than with some 
others: 

minimize c^g{DA^Ae) + p^g{ADA^Ae) 

subject to A(:,^)^A0 7^ 0, 
and the corresponding reformulation of dD is defined by 
minimize c^g{DA^Ae) + p^g{ADA^Ae) 

A0G{o,ir+i (11) 

subject to A{:,e)^AO ^ 0. 

In ([TOb and (fTTI) . g is a vector- valued indicator function such 
that for any vector x, gi{x) = 1 if Xij^O and gi{x) = other- 
wise. It can be seen that if Cij G {0, 1,2} and pi G {0, 1}, then 
dH) and dS]) are recovered. Let [ZM^AO] ^ denote the entry 

of DA^AO corresponding to edge {vi.vj), and let [ADA^A6]^_ 
denote the entry of ADA^AO corresponding to node v^. With a 
slight abuse of notation, the symbol g( [ZM^AO] ^^.^.^) denotes 

the entry of g{DA^AO) corresponding to (vi^vj). In addition, 
g (IADA^AG]^^ is defined similarly. 

The following theorem characterizes the relationship be- 
tween the security index problem in dS]> and its binary re- 
striction in d2l) by studying their respective generalizations of 
dTOl) and dHJ for arbitrary nonnegative vectors c and p. 

Theorem 2: Let Jc and respectively, denote the optimal 
objective values of dTOl) and dTTt with A and D defined in dD. 
ceW^, pe ]R++^ and ^ G {1,2, . . . ,m} given. Then 

0<Jb-Jc< y maxio, max {pi-Cij}\. (12) 

Proof: First note that both dTOl) and dHJ are always 
feasible with finite optimal objective values attained by some 
optimal solutions. In addition, < — holds because dTTt 
is a restriction of dTOl ). To show the upper bound in dI3 



the main idea is that for each feasible solution A6 of ([TOb 
it is possible to construct a feasible solution of (fTTI) . such 
that the objective value difference is bounded from above 
by max^O, max \pi — Cij}>. The construction is as 

follows. Let AO be a feasible solution of ([TOb . and let A6{vi) be 
its entry corresponding to node vt G V^. Since AO is feasible, 
the constraint A (:, ^)^A0 7^ implies that there exist two nodes 
denoted and Vt with e corresponding to either (v^,v^) or 
(v^,v^) such that AO{vs) AO{vt). Without loss of generality, 
it is assumed that AO{vs) > AO{vt). Define G {0, l^^^ by 



ifAe{vi)>Ae{vt) 
ifAe{vi)<Ae{vt) 







(13) 



Note that A(j) is feasible to (fTTI) since A0(v^) 7^ A0(v^) by 
construction. Also notice that for any two nodes Vi and vj if 
A6{vi) = A6{vj) then A0(v;) = A(j){vj). Hence, in the objective 
functions of ([TO]) and it holds that 

ctjg{[DA^Ae]^^^^^^)>ctjg{[DA^A(^]^^^^^^^ V (v,, v,-) G 

(14) 

In other words, for each edge the contribution to the objective 
function with the new solution A0 is smaller than or equal to 
that with the initial one AO. To finish the proof, the objective 
function contribution due to the node injections needs to be 
investigated. Let ^ be defined such that 

vteVt ^ g([ADA^Ae]]=0,g([ADA^A(^]] = l. 

(15) 

In essence, encompasses all causes for > Jc- Con- 
sider Vi G 14, since g (^ADA^ A(^^^^ = 1, there exists G 
N{vi) such that AB{vk) 7^ Ad{vi). Consequently, the fact 
that g{^ADA^ AQ^^^ = implies that there exists v^^ = 
argmax^^^^(^.){Ae(vy^)} such that Ae(v+) > A0(v/). Sim- 
ilarly, there exists vJ' = argmin^^^^(^.){A0(vy^)} such that 
Ae(vr) < AO{vi). If Ae(v,) > Ae(v/), then ^ implies 
that A0(v^+) = A0(v;) = 1. In addition, it holds that if 
G Vb then 7^ argmax^^^^^^+^J{AO(vy^)}. This is true be- 
cause argmax^^^^(^+){Ae(v;t)} > Ae(v+) > Ae(v,-) if v+ G Vt. 
Conversely, if Ae{vi) < A0(v^), then A(^(vr) = A0(v/) = 
0. Similar to the case with v^, if vJ' G Vt, then v/ 7^ 
argmin^^^^^^-^){AO(vy^)}. In summary, for each Vi G V^, there 
exists an edge ei G in one of the following forms (v;,v^t), 
(v+,v,-), (v,-,vr) or (vr,v,-) such that 

g([m^Ae]^.) = 1, g([m^A0]^.) =0 (i6a) 

^.•7^^; Vv,-7^vy (16b) 
{ei\vieVt}\ = \Vb\ (16c) 

Using the above argument, the inequality in ([T2I) can be 
deduced as follows: For all feasible solutions A0 of (fTOl) , it 
holds that 

Jb - Jg{DA^Ae) - p^g{ADA^Ae) 
Jg{DA^A(\)) + g{ADA^ A(\)) 
-Jg{DA^Ae)-p^g{ADA^Ae) 



< 



(17) 



because A0 is a feasible solution of (fTTI) and is the optimal 
objective value of (fTTI) . Because of (I16bl) , {^^ | G I4} does 
not contain duplicated edges. Therefore, the right-hand- side of 
(fTTI) is equal to 



+ ^ L Q,U([m^A,/.]J-g([m^A0]j] 
+ I pAg([ADA^^<^>]\-g([ADA^^e]\) 

(18) 

In addition, because of (fTSl) , (I16al) and (I16cl) the expression in 
(fTSl) is equal to 

+ I A-(^([Am^A0]^.)-g([Am^Ae]^. 

+ ^ L cJg([z)A^A0]^.)-g([m^Ae]^jy 

(19) 

Because of (fTSl) and ([T4b . the last two sums in (O are 
nonpositive. Therefore, it holds that 

4 - c^g(Z)A^Ae) - p^g{AD^AQ) 



< 



< 



< 



max {pi 



(20) 



max 



max I 



Finally, since (l2Ql) applies to all feasible solutions AO of (fTOl) , 
the upper bound in ([T2I) follows. ■ 

Remark 3: The full measurement assumption in Proposi- 
tion [T] corresponds to a special case in Theorem |2] where Cij = 2 
for all (v;,Vj) G and pi = 1 for all Vi G V^. The inequalities 
in ([T2I) imply Proposition [T] 

Remark 4: Theorem [2] suggests other situations where (HJ 
and © are equivalent. One example is when there is a meter 
on each edge and there is at most one meter in each node. 
In this case, [P\^P2^] does not have a zero column and 
P3 consists of subsets of rows of an identity matrix. This 
corresponds to Cij = 1 and pi < 1 for all /, j in Theorem [21 
Another situation suggesting equivalence is as follows: if an 
edge is not metered, then its two terminal nodes are not 
metered either. This corresponds to a case when p, < min c;/ 

for all Vi G V^, implying that max \pi — Cij] = 0. 

Remark 5: Without the full measurement assumption or 
conditions such as those described in Remark lU solving © 
can lead to an approximate solution to ^ with an error upper 
bound provided by ([T2]) . This error bound, however, is rather 



conservative since the summation is over all nodes Vi G V^. As 
developed in the proof, the summation is in fact over a subset 
Vh of V^. However, in general it is difficult to characterize the 
Vh which leads to the tightest possible upper bound without 
first solving ^ to optimality. 

C. Reformulating the Security Index Problem into Generalized 
Min Cut Problem with Costly Nodes 

The above discussion suggests that the (exact or approxi- 
mate) solution to the security index problem is obtained by 
solving (fTTI) . whose graph interpretation will be the focus of 
this subsection. In (fTTI) the choice of or 1 for each entry of 
is a partitioning of the nodes into two parts. The constraint 
A(:,^)^AO 7^ enforces that the two end nodes of edge e, 
denoted as and V/, must be in two different parts of the 
partition. In the objective function, the term c^g(ZM^AO) is 
the sum of the edge weights of the edges whose two ends are 
in different parts (i.e., edges that are "cut", in an undirected 
sense). In addition, since A0 has binary entries, a row of 
AZM^AO is zero if and only if the corresponding node and all 
its neighbors are in the same part of the partition (i.e., none of 
the incident edges are cut). Therefore, the term g{ADA^ 
in the objective function is the sum of the node weights of the 
nodes connected to at least one cut edge. In summary, (fTTI) can 
be reinterpreted as a generalized minimum cut problem on an 
undirected graph (i.e., the original power network graph with 
the edge direction ignored). The generalization is due to the 
presence of the node weights. 

We now define formally the Min Cut with costly 
nodes problem (on any given directed graph) of which ([Til 
is a special case. Let G{y^E) be a directed graph (we will see 
that the problem can be particularized to undirected graphs), 
where V denotes the set of nodes {vi , . . . , v„+i }, and E the set 
of directed edges; and suppose that a cost Cij > is associated 
to each directed edge (v;,Vj) and a cost pi > is associated to 
each node v^. We designate two special nodes: a source node 

and a sink node Vf. The problem is the following: 

Problem 1: 

The Min Cut with costly nodes problem. 
Find a partition of V, denoted as P = such that 

Ss,St(zv, Ssf^St = ^, SsyjSt = y, seSs, teSt 

which minimizes the cost 

c{P) = L Cij 

{vi ,Vj ) ^E:vi eSs ,Vj eSt 

+ I Pi+ E Pj- 

Vi eSs'3{vi ,Vj ) ^E:vj eSt vj GiS^: 3 ( v/ ,Vj ) ^E:vi eSs 

(21) 

By convention, if Vi G Ss^vj G St^ for two nodes Vi,Vj, we will 
say that both these nodes, and the edge (v;,Vj), are in the cut, 
or that this edge is cut. 

Notice that in a directed graph an edge (v;,vy) is cut if 
Vi e Ss and v^- G St but not in the reverse case, where G St and 
Vj G Ss, and the cost Cij is not incurred in that latter case. This 
asymmetry disappears however in symmetric graphs, in which 
to each edge (vi^vj) with weight Cij corresponds a symmetric 
edge (vj^Vi) with same weight. For these symmetric graphs. 
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Fig. 2. Representation of the auxiliary graph G associated to the graph G. 
The dotted diagonal edges all have the same weight C > maxp/. The vertical 
dashed edges linking Wi to and to Zi have weight pi. 



the cost Cij is incurred as soon as and vj are not in the same 
set. Indeed, exactly one among (vi^vj) and (vj^Vi) is in the cut 
in that case. The cost ([211 consists then of the sum of the Cij 
over all pairs of nodes v/,Vj that are in different sets, and 
consists of the sum of the pi over all nodes that are adjacent 
to nodes in a different set. This is problem (1171) . In addition, 



by letting 



2 for every edge and pi = 1 for every 



node, one recovers problem (|9]l under the full measurement 
assumption. We will show in Section |Vl how to solve Problem 
[H and therefore the problems in (fTTT l. ^ and (|8]l. 

V. An efficient solution to the tractable cases of 

THE SECURITY INDEX PROBLEM 

This section presents the efficient solution to the Min Cut 
with costly nodes problem (i.e.. Problem [TJ introduced 
in Section ITV-C[ The proposed solution method also solves the 
security index problem under the full measurement assump- 
tion, since this problem is a special case of the Min Cut 
with costly nodes problem. 

A. Construction of an Auxiliary Graph 

Consider a directed graph G(y,£'), V = {vi, . . . , v„+i} with 
a set of nonnegative weights Cij > 0, and pi > for each node 
Vi eV, a source node and a sink node V/. We build an 
auxiliary graph G using the following algorithm, illustrated in 
Fig. [2] on an example: 

1) Define the set V = {vi^Wi^Zi : 1 < / < ^ + 1} of nodes of 
the auxiliary graph. 

2) Designate and Vt as source and sink nodes respec- 
tively. 

3) For all 1 <i <n-\-l, add the two directed edges (wi^Vi) 
and {vi^Zi)^ both with cost pi. 

4) For all 1 < /, J < ^ + 1 : (v,-, v^) G E 

• add the edge (Vi,Vj) with cost Cij. 

• add the two edges (vi^wj) and (Zi,Vj), both with a 
cost C > msiXiPi. 

The intuition behind the construction of G is the following: 
Suppose that one wants to cut the edge (v^Vj), then one must 
also cut at least either (v;,Z;) or (z^Vj) (see Fig. O. Because 
the latter has a higher cost C, one will naturally cut {vi^Zi), 



incurring a cost pi. Moreover, since that edge does not depend 
on J, one just needs to cut it (and pay the associated cost) once, 
independently of the number of other edges (v/, Vy^) that will be 
cut. A similar reasoning applies to the path (v/, Wj) or {wj^vj). 
Therefore, the cost of a minimum cut on G will consists of 
the sum of all Cij for all edges (v;,Vj) in the cut, and of the 
sum of all Pi for nodes incident to one or several edges (v;,vy) 
or (vj^Vi) in the cut, i.e., to the cost of the equivalent cut on 
the initial graph G, taking the costly nodes into account. 

B. Equivalence with Min Cut on the Auxiliary Graph 

We now show formally that solving the standard Min 
Cut problem on this weighted graph provides a solution to 
Problem [T] on the initial graph, and that a solution is obtained 
by directly translating the partition of the into the equivalent 
partition of the v/. 

Theorem 3: Consider a graph G{V^E) with a set of weights 
Cij > for each edge (vi^vj) G E, and pi > for each node 
Vi G y, a source node and a sink node v^. Let G(y,£) be the 
modified graph obtained from G by the procedure described 
above, and the partition V = {Ss^St} be an optimal solution 
of the standard Min Cut problem for G. Then the partition 
of y, obtained by letting Vi G Ss if and only if G Ss, 
is an optimal solution to Problem [T] on G. 

Proof: Let us call respectively c* and c* the optimal cost 
of Problem [T] on the graph G and Min Cut problem on the 
graph G. In the sequel, we always assume that the source and 
sink nodes belong to the appropriate set of the partition. 

We first prove that c* < c* , by showing that for any cut in 
G with cost c (i.e., the sum of the costs of the edges and the 
nodes in the cut is c), one can build a cut in G whose cost is 
equal to c in the following way: For any 1 < / < ^ + 1, 

1) If V; G Ss, and all the out-neighbors of Vi are in Ss^ put 
V;, Wi and Zi in §s. 

2) if Vi G St, and all the in-neighbors of Vi are in St^ put v/, 
Wi and Zi in St. 

3) if V; G Ss, and at least one out-neighbor of Vi is in St^ 
put V;, Wi in Ss and Zi in St. 

4) if V; G St, and at least one in-neighbor of is in Ss^ put 
Vi, Zi in §t and w/ in §s. 

One can verify that no edge with cost C is in the cut, 
and that an edge (vi^vj) is in the cut if and only if the 
corresponding edge (vi^vj) (which has the same weight) is in 
the initial cut. Moreover, for every node /, the edge (w;,V;), 
of weight Pi, will be in the cut if and only if at least one 
edge arriving at Vi was in the initial cut. Similarly, the edge 
(vi^Zi) will be in the cut if and only if at least one edge 
leaving Vi is in the initial cut. So, there will be a contribution 
Pi to the total cost if at least an edge arriving at is in the 
cut or at least one edge leaving Vi is in the cut (note that the 
two situations cannot happen simultaneously.) 
As a conclusion, the cost of the cut in G (counting 

the weights of the nodes) is equal to the cost of the cut 
{Ss.St} in G. 

Consider now an arbitrary cut in G, and the corresponding 
cut in G obtained by putting Vi in Ss if and only if Vi G 5^, as 



explained in the statement of this theorem. We show that the 
cut of G obtained has a cost (taking the vertex costs pi into 
account) smaller than or equal to the cost of the initial cut. 
This will imply that c* > c*. 

The cost of this new cut {^'^,5'^} consists indeed of all the 
Cij of edges (vi^vj) in the cut, and all the pi of the nodes at 
which arrives, or from which leaves an edge in the cut. 

Consider first an edge (v;,vy) in the cut, i.e., Vi G Ss^vj G St. 
By construction, this implies that G Ss and vj G St so that 
the edge (vi^vj) was also in the cut in G, incurring a same 

cost Cij. 

Consider now a node v/ from which leaves at least one edge 
in the cut, incurring thus a cost pi. (A symmetric reasoning 
applies if an edge in the cut arrives at v^, and no node has 
edges in the cut both leaving from and arriving at it.) Call vj 
the node at which arrives that edge. We have thus Vi G Ss and 
Vj G St, and therefore Vi G Ss, vj G St in G. This implies that 
one edge of the path consisting of {vi^Zi) and (zi^vj) is in the 
cut. These edges have respective costs pi and C > pi, so that a 
cost at least pi will be incurred by the cut in G. Note moreover 
that none of these edges will appear when considering other 
nodes and be counted more than once. 

We have thus shown that to each cost in the cut {^'^,5'/} for 
Problem [T] corresponds a larger or equal cost in {^'^,5'^} for 
the Min Cut problem, and thus that the former has a smaller 
cost. 

Therefore, if one takes any cut of optimal cost c* for the 
Min Cut problem on G, and applies the procedure described 
in the theorem, one obtains a cut of G with a smaller or equal 
cost for Problem [T] Since we have proved that the optimal cost 
of the latter problem is at least c*, this implies that c* = c* 
and that the cost obtained is optimal for Problem [T] on G. ■ 

There exist many efficient polynomial time algorithms solv- 
ing the Min Cut problem exactly when the weights are 
nonnegative (e.g. ll3T1l , ll32l ). Theorem [3] implies that the same 
algorithms can be used to solve efficiently Problem [T] and 
therefore problem (|9]l, and problem (|8) in the fully measured 
case. Moreover, observe that the size of this new graph G is 
proportional to that of G, as it has 3n nodes and 3\E\-\-2n 
edges. The order of the polynomial measuring the efficiency 
of the algorithms remains therefore unchanged. In particular, 
if the standard Min Cut problem on the new graph G 
is solved using the algorithm in [31 1 whose complexity is 
0{n\E \ +^^log(^)), our algorithm has the same complexity. 

Finally, consider a slight generalization of Problem [T] in 
which each node contains two different weights (one for cut- 
ting outgoing edges and the other for cutting incoming edges). 
Then with a corresponding modification in the auxiliary graph 
construction procedure in Section IV-AI (in the fourth bullet), 
the proposed method can still solve the generalization in 
polynomial time. 

VI. The Original Security Index Problem 
Targeting Edge and Node 

The relationship between the original security index prob- 
lem in (O, the problem in ([S]) and its binary restriction in ^ 
is summarized as follows: In the case where H{k,:) in ^ 



corresponds to the row of PiDA^ and -P2DA^ , ^ can be 
restated as ^ with an appropriate choice of e. Consequently, 
solving Q either exactly solves (0) or approximately solves 
([5]) with an error bound provided by (IT2t . depending upon 
whether the full measurement assumption or similar ones in 
Remark |4] are satisfied or not. 

Next, consider the case where H{k/.) corresponds to a 
row of P^ADA^ . The constraint H{k^ :)A0 = 1 means that the 
power injection at the target node, denoted v^, is nonzero. 
This implies that at least one edge incident to should have 
nonzero edge flow. Let ei with / = 1,2, .. . denote the column 
indices of A of the incident edges of v^. For any given k, 
consider the following instances (parameterized by ei) 



min card (//A 0) 

subject to H{k, \)Ae ^0 
A{:,ei)^Ae^O. 



(22) 



The minimum of J^^^, over all ei, is the optimal objective 
value of (O. In addition, consider a relaxation of (|22]) as 



(23) 



(24) 



JfptI — min cardf//A0) 

subject to A{\,ei)^Ae ^ 0, 
and its binary restriction 

Jf)a\ — min cardfifAO) 
<24) A0e{o,iri ^ ^ 

subject to A{:,ei)^Ae ^ 0. 

(|23]) is an instance of ([5]), and the fact that (l23l) has one fewer 
constraint than (l22l) implies that 

(25) 

On the other hand, (l24l) is an instance of (|9]), and 

•^ta^-^isa' (26) 

because if A0 G {0, l}""^^ is feasible to (|24l), then it is also 
feasible to (l22l) . Notice, however, that a feasible solution of 
(|23]) need not be feasible to (1221) . Let be defined such that 
/ |22| = min/|22|- The full measurement assumption or similar 

ones in Remark |4] implies that ^ ^JM ^ ^fel' together 
with (|25]) and (l26l) , suggests that 



23- 



This implies that the equalities above hold throughout, and 
solving ^ (by solving (l24l) ) indeed solves the original security 
index problem in (O (by solving (l22l)). On the other hand, if 
the full measurement assumption does not hold, then 



where the error upper bound AJ can be obtained from ([T2l) . In 
conclusion, all exact or approximate results pertaining to the 
case between ([5]) and © apply to the case between (O and 
(|9]). As discussed in Remark [51 the above error bound might 
be conservative. The approximation quality in practice will 
be demonstrated in Section IVIII containing some numerical 
examples on benchmark power networks. 
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Fig. 3. An instance of Problem [T] and are the source and sink nodes, 
respectively. The numbers next to the edges are the edge weights, and the 
node weights are labeled, for example, as P2 = 4 for node V2 . 

TABLE I 

The objective values of source sets^S^ = {v^} and Ss = {v^,vi,v2} 

IN THE GRAPH SETUPS OF THE CURRENT PAPER, lfl2ll AND (TS). AS ONE 
CAN SEE, ONLY OUR METHOD FINDS THE OPTIMAL CUT. 





cost in our method 


cost in |12| 


cost in [18J 
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10 


{V5,V1,V2} 


9 


1 


9 



VII. Numerical Examples 

A. Simple Illustrative Example of Problem [7] 

To illustrate that the proposed method is exact while previ- 
ous methods (e.g., |[T2l . |[T8]| ) are not, consider an instance of 
Problem [T] depicted in Fig. [3] Only two partitions need to be 
considered: Ss = {v^} and Ss = {v^,vi,V2}, with the respective 
objective values being 8 and 9 (indeed, the choice = {v^,V2} 
is strictly worse than {v^,vi,V2}). As a comparison, the meth- 
ods in |[T2l . ifTSl are also attempted. In particular, both [fT2l . 
ifTSl solve standard Min Cut problems with edge weights 
only. In |[T2ll the node weights are simply ignored, while in 
ifTSl the node weights are indirectly accounted for by adding 
them to the weights of the incident edges. Table II summarizes 
the objective values of the source sets {v^} and {v^,vi,V2} 
for the three graph setups. The italic numbers indicate the 
optimal objective values in the respective methods, suggesting 
that both |[T2l . ifTSll incorrectly choose Ss = {v^,vi,V2}, which 
is suboptimal to Problem [T] in the current paper. 

Constructing the auxiliary graph as described in Section |V] 
and solving the corresponding standard Min Cut problem 
leads to the node partitioning in Fig. (H In the auxiliary graph 
the optimal source set is {v^,wi,W2}, with the objective value 
being 8. According to the rule in Theorem [3] {v^} is the 
source set returned by the proposed procedure in this paper. 
It correctly solves Problem [T] 

B. The Security Index Problem on Benchmark Systems 

To demonstrate the effectiveness and accuracy of the pro- 
posed solution, the security index problem for two benchmark 
systems is considered (IEEE 118-bus ll33ll and Polish 2383-bus 
(341). See Fig. [5] for an illustration of the 118-bus system. 

First, the full measurement case is considered. The security 
index problem in ^ is solved for each measurement, using 
the proposed solution and the methods from [[T2l . [[TSl . The 
proposed method is guaranteed to provide the exact optimal 
solutions, as explained earlier in the paper. Both for the 118- 
bus and 2383-bus cases, the methods from lfT2l . ifTSl are ex- 
perimentally found to provide the exact solutions (though this 




Fig. 4. Solving the standard Min Cut problem in the auxihary graph 
corresponding to the instance in Fig.|3](the irrelevant node Ws is not shown). C 
is a large scalar constant defined in the auxiliary graph construction procedure 
in Section IV-AI The black nodes form the optimal source set (in the auxiliary 
graph), and the dotted red edges are cut. The optimal objective value is 8. 




Fig. 5. IEEE 118-bus benchmark system (33) 

is not guaranteed theoretically). The computation times for the 
three methods are listed in Table [III indicating that the methods 
have similar efficiency. The guarantee of optimality provided 
by our approach is obtained at no additional computational 
cost. The computation was performed on a PC with 2.4GHz 
CPU and 2GB of RAM. The minimum cut problems are solved 
using the MATLAB Boost Graph Library [l35l. [l36l. 

TABLE II 

COMPUTATION TIMES FOR ALL SECURITY INDICES IN THE FULL 
MEASUREMENT CASE FOR THE IEEE 1 1 8-BUS AND POLISH 2383-BUS 
BENCHMARKS. 
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Next, (O is considered when the full measurement assump- 
tion is removed. That is, the matrices Pi, P2 and in ([T]) 
need not be identities. In this test, the 118-bus system is 



considered. In the measurement system about 50% of power 
injections and power flows are measured. The measurements 
are chosen randomly, and the measurement system is verified 
to be observable (i.e., the corresponding H2 has full column 
rank (= n)). Since ([5]) is NP-hard in general, no efficient 
solution algorithm has been known. Enumerative algorithms 
include, for instance, enumeration on the support of HAO, 
finding the maximum feasible subsystem for an appropriately 
constructed system of infeasible inequalities \37L and the big 
M method to be described. The authors' implementations of 
the first two methods turn out to be too inefficient for the 
applications concerned. Therefore, the big M method is used, 
which sets up and solves the following optimization problem: 



minimize 

Ae,y 

subject to 



j 

HAO 
-HAG 
H{k,\)AQ 

yU) 



< 
< 



My 
My 
1 

{0,1} 



(27) 



In ([27]), M is a user-defined constant. If M > \\HAe''\\^ for 
at least one optimal solution A6^ of ([5]), then ([27l) provides 
the exact solution to (0). Otherwise, solving (IZTt yields a 
suboptimal solution, optimal among all solutions A6 such that 
II^AO 11^ < M. In principle a sufficiently large M can be found 
to ensure that the big M method indeed provides the optimal 
solution to © ll38ll . However, this choice of M is typically too 
large to be practical. In the numerical example in this section, 
M is simply chosen to be 10^. (1271) can be solved as a mixed 
integer linear program [|39l using solvers such as CPLEX [HOl . 
The solutions by the big M method are treated as references 
for accuracy for the rest of the case study. Fig. |6] shows the 
(big M) security indices for all chosen measurements. 

Alternatively, as described in Section |Vl] a suboptimal 
solution to (0) can be obtained by solving ^ exactly using 
the proposed method in Section Ivl or the ones from [fT2l . [fTSl . 
As explained earlier, © can be formulated as Problem [T] with 
Pi = 1 if and only if the injection measurement at bus v/ is 
taken and Cij = cji G {0, 1,2} being the total number of line 
power flow meters on the line connecting buses and vj. 
Fig. [71 Fig. [8] and Fig.[9l respectively, show the security index 
test results with the three Min Cut based methods (i.e., |[T2ll . 
[18| and the one proposed in this paper). These figures show 
only the big M security indices (in light blue, the heights of the 
crosses) and the overestimation (in red, the heights between the 
crosses and the circles) for the measurements where the Min 
Cut based methods do not agree with big M. The case study 
indicates that, among the three Min Cut based methods, 
the proposed method provides the most accurate suboptimal 
solutions to (0. In terms of computation time, the proposed 
method is most efficient as suggested by Table [Till 

TABLE III 

COMPUTATION TIMES FOR ALL SECURITY INDICES IN THE PARTIAL 
MEASUREMENT CASE FOR THE IEEE 1 1 8-BUS BENCHMARK. 





our method (s) 


112] 
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big M 


IEEE 118-bus 


0.17s 
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Fig. 6. Security indices for the partially measured 118-bus system. Security Fig, 



indices are computed using the big M method with M = 10 



Security index estimates for the partially measured 118-bus system. 
Security index estimates are computed using the method in lUsl. The figure 
shows only the inexact security index estimates (in circles) and the corre- 
sponding ones by the big M method (in crosses). 
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Fig. 7. Security index estimates for the partially measured 118-bus system. 
Security index estimates are computed using the method in lfT2l . The figure 
shows only the inexact security index estimates (in circles) and the corre- 
sponding ones by the big M method (in crosses). 



VIII. Conclusions 

It has been assumed that the security index problem, formu- 
lated as a cardinality minimization problem, cannot be solved 
efficiently. This paper formally confirms this conjecture by 
showing that the security index problem is indeed NP-hard. 
Nevertheless, the security index problem can be shown to be 
reducible to a Min Cut with costly nodes problem 
(Problem [TJ under the full measurement assumption. In this 
paper, we show that this problem is equivalent to a standard 
Min Cut problem on an auxiliary graph of proportional 
size, and can therefore be solved exactly and efficiently using 
standard techniques for the Min Cut problem. Under the full 
measurement assumption, this allows computing the minimal 
number of measurements with which one must tamper in 
order to feed incorrect information on the SCAD A system 
without being detected by a BDD method. The knowledge 
of this number can help strategically assigning protection 
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Fig. 9. Security index estimates for the partially measured 118-bus system. 
Security index estimates are computed using the method proposed in this 
paper. The figure shows only the inexact security index estimates (in circles) 
and the corresponding ones by the big M method (in crosses). 



resources (e.g., ||9l, BTI ). Our method also solves a mathe- 
matically equivalent problem of robustness of the observability 
properties of the system with respect to the failure of some 
measurements, assuming again full measurement. It remains to 
be determined if the solution could be efficiently approximated 
in the general (not fully measured) case. Indeed, even though 
our approach already provides an approximate solution to such 
general problems we do not know if this approximation comes 
with any guarantee of accuracy. 

Another interesting issue is the design question: in view of 
the exact solution of the security index problem presented in 
this paper, could one build efficient design methods in order 
to optimize the security index under some natural constraints? 
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